Slightly disturbing news about Aave (AAVE), a loan protocol for decentralized finance (DeFi). BlockSec, a company that smart contracts checks, reports that a bug in an old version of the Aave led to assets like wrapped ether (WETH), tether (USDT), wrapped bitcoin (WBTC), and wrapped matic (WMATIC) being tied up. Users are currently unable to withdraw these tokens. In total, the captured tokens represent a value of $110 million.
The Aave v2 Polygon protocol
BlockSec reports that it specifically concerns tokens that sit on an Aave v2 Polygon liquidity pool. BlockSec found that some of the code works with Ethereum (ETH), but not with Polygon (MATIC). Other versions, such as Aave v3 Polygon or the v2 implementations of Ethereum and Avalanche (AVAX), still work. The issues were caused by a patch released on May 16 that failed to account for minor code differences on Polygon.
.@AaveAave the latest upgrade of ReserveInterestRateStrategy in Aave V2 (Polygon) has caused a temporary halt of the protocol, impacting assets worth ~$110M!
The root cause is the new ReserveInterestRateStrategy is only compatible with Ethereum, not compatible with Polygon. https://t.co/kg5696QNPo pic.twitter.com/Ze3zSBS8Ck
— BlockSec (@BlockSecTeam) May 19, 2023
Have victims lost millions?
Although it is currently impossible to withdraw the tokens, hThe team behind the DeFi project said that the funds of the victims are “completely safe”. The issues can be resolved through a round of voting. The vote will take place between May 20 and May 23. The proposal seeks approval from the Aave DAO, the project’s governing body, to implement code changes.
It is expected that the community will approve the proposal. With that, a patch will be introduced that will fix the problems, so that the victims can get back to their tokens. The incident highlights a frequently cited problem from critics against DeFi protocols. These types of projects are still prone to bugs and that can quickly lead to lost funds. In Aave’s case, it seems to fizzle out.